DEVELOPMENT

Google phasing out SSL 3.0 protocol by Chrome 40

20:19 Monday Dec 8, 2014

            

Google today announced plans to disable fallback to version 3 of the SSL protocol in Chrome 39, and remove SSL 3.0 completely in Chrome 40. The decision follows the company’s disclosure of a serious security vulnerability in SSL 3.0 on October 14, the attack it dubbed Padding Oracle On Downgraded Legacy Encryption (POODLE).

Following Mozilla’s decision on the same day to disable SSL 3.0 by default in Firefox 34, which will be released on November 25, Google has laid out its plans for Chrome. This was expected, given that Google Security Team’s Bodo Möller stated at the time: “In the coming months, we hope to remove support for SSL 3.0 completely from our client products.”

Google explains website administrators should take note of these upcoming changes:

SSLv3-fallback is only needed to support buggy HTTPS servers. Servers that correctly support only SSLv3 will continue to work (for now) but some buggy servers may stop working. The answer in these cases is to fix the server — TLS 1.0 is nearly 15 years old at this point.

The fallback option is already disabled in Chrome’s newer non-stable versions (the Canary, Dev, and Beta channels for those who follow the browser’s development). Google says it has run out of time to translate a specific error message into all the languages Chrome supports. As such, when the browser encounters a buggy server, it will display a generic error message, and toggling the Details option will show ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION.

Currently, Google also plans to disable SSL 3.0 completely in Chrome 40, though it hints that may be delayed if too many compatibility issues arise. In the meantime, Chrome 39 will show a yellow badge over the lock icon for SSL 3.0 sites, which will need to be updated to at least TLS 1.0 before Chrome 40 is released (developers can run Chrome with –ssl-version-min=tls1 in order to test their sites).

Enterprises can use the policy options SSLVersionMin and SSLVersionFallbackMin to control the minimum fallback version and minimum SSL/TLS version in Chrome 39, as well as via about:flags in Chrome 40. Google plans to remove SSL 3.0 client support from Chrome’s code eventually, at which point those workarounds won’t work, but it wouldn’t say exactly when this would be.

Speaking of timing, Chrome is updated approximately every six weeks. As we’ve noted before, Chrome 39 should arrive next month, which means Chrome 40 will arrive late this year or early in 2015.

Unlike Mozilla, Google doesn’t provide exact dates for its Chrome releases. While it’s great to see the company commit to getting rid of SSL 3.0, it’s worth noting that Mozilla reacted much faster, and its researchers weren’t even the ones to find the flaw.

Yet it’s still doing better than Microsoft, which yesterday declared it was “working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.” No specific IE versions or timeframes were offered, though the company did provide a temporary one-click “Fix it for me” solution.

Source: venturebeat.com

 

< Back

    Add your comment

    We aim to have healthy debate. But we won't publish comments that abuse others

    1200 characters left

     

     

    LATEST NEWS

     
      

    © copyright 2013 Website News. All rights reserved.

     

    SECTIONS

    ABOUT

    SUBSCRIBE

     

    Website News is for and about the website design, development, marketing industry. We will endeavor to bring you up-to-date news and information to help you in your work as well as give you useful information and tips for your clients and their businesses.

    We are always keen for you to submit any information you find from elsewhere, or about your business, that you feel will be relevant.

     

     

     

     

    Contact Us:

    For advertising enquiries or to submit a story, please email us at: editor@websitenews.co

     

    Login

    Website News

    Sign-up to Website News and create your universal Woogloo ID

    Your details

    Your login details

    Your address


    Is your address not being found?

    Company

    Company address

    Yes No


    To register on the Website News website you either need to use your
    exisitng Woogloo ID or create a new one (see below).

    Sign Up

    Why sign up?

    • Get access to Registered User's priviledges, which may include hidden pages, special features and special pricing, if they exist, on this website.
    • Get access to all sites powered by Woogloo V3 without having to enter your details everytime.

    Login Error

    Forgot your password?

    Enter your email address below and click 'Reset Password' Button




    What is a Woogloo ID

    Logging in...